Is PII Information?

1 - Is customer PII considered as Information in ISO 27001:2013 Standard?

Answer: Information is any data with meaning, and ISO 27001 was designed to protect any kind of information, so Customer Personally Identifiable Information (PII) is also considered in its scope.

These articles will provide you a further explanation about ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

This material will also help you regarding ISO 27001:
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

2 If yes then shouldn't monitoring of PII shared with vendors be mandatory and not dependent upon contractual agreement. Shouldn't this activity be not allowed to be excluded from contractual agreement? This question confuses me on allowing exclusions in ISMS

Answer: First is important to note that for most countries the protection of PII is not a contractual obligation, but a legal obligation. For example, we have GDPR in Europe, CCPA in U.S., and LGPD in Brazil.

GDPR and other regulations require a contract between controller and a processor, in cases both when the outsourced processing is done within the country and outside the country.

For further information, see:
- EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//